Payment card security compliance is directly related to the ability to defend against cyber attacks

A recent report published by Verizon- a highly respected security consultancy- highlighted that of all card data breaches investigated, not a single organization was fully compliant with the Payment Card Industry Security Standard (PCI DSS). The report pinpointed that businesses adhering to the latter had fewer risks of becoming victimized by cyber attacks.

What is the PCI DSS?

The PCI DSS is an information security standard designed for businesses and other organizations that have to handle branded credit cards. Its aim is to combat credit card fraud. The Payment Card Industry (PCI) Standard is dictated by card brands while it is administered by the Payment Card Industry Security Standards Council. In general, there are 12 specific requirements for compliance. Issuing banks are exempt from adhering to the PCI DSS validation assessment but are however obliged to secure sensitive data in a similar manner.

In case of breach, organizations that were not compliant when the breach occurred are subject to further card scheme penalties such as fines. PCI DSS compliance is equally not obligatory for all entities. Even if both Visa and MasterCard require merchants to be validated by the PCI DSS, Visa also offers an alternative option called the Technology Innovation Program (TIP). Qualified merchants may discontinue the yearly PCI DSS validation assessment. Merchants or service providers eligible for the latter program are either implementing different measures against fraud like the adoption of EMV or Point to Point Encryption.

Businesses are failing to maintain compliance

The Verizon 2017 Payment Security Report established that absolutely all organizations investigated for data breaches failed to maintain compliance with the 12 PCI DSS key requirements. In 2016, 55.4% of organizations passed their interim assessment while in 2015, only 48.4% of organizations managed to do so. Even if the figure is on the rise, it nevertheless shows that up to now, almost half of businesses like restaurants, retailers, and hotels accepting card payments are failing compliance year after year. This is a worrying fact as Rodolphe Simonetti, the Global Managing Director of Verizon, underlines that adherence to PCI DSS regulations influences the ability of an organization to protect itself against cyber attacks.

Surprising real case scenarios discovered by Verizon

The most compliant sector as determined by Verizon was the IT sector with an average of 61.3% of companies adhering to the PCI DSS standards. Financial services organizations are next on the list with 59/1% adherence. Retailers’ compliance amounted to 50% only while the hospitality sector lagged behind with a level of compliance of 42.9% only. The financial services organizations faced the highest number of compliance challenges, such as security procedures, protection of data in transit and vulnerability management amongst others.

A genuine case-scenario met by Verizon is that of a financial services organization looking for exemptions from the Wi-Fi requirements as per the PCI DSS. The organization was not even aware that it did not even have a wireless network in its building.

An enlarging control gap is being dug

Companies are expected to have certain PCI controls such as security testing and penetration tests, in place. However, Verizon noted that many basics were absent and the figure is on the rise: in 2015, an average of 12.4% of controls was lacking while in 2016, the figure climbed to 13%.

Rodolphe Simonetti explains that many organizations still view the PCI DSS controls as individual elements to be implemented while the real approach is to consider all of these controls as a set of basics obligatory to be complied with as a whole. “They should not be isolated as they are inter-related,” he highlighted. Organizations should think about how to protect data rather than thinking whether data should be protected or not.

Key guidelines to assist in control management

There are certain basic yet key guidelines that can help businesses and organizations with control lifecycle management:

There is no need to add further security controls as the PCI DSS Standard already consists of several interlinked data protection standards.

Organizations are recommended to invest in expertise so that staff can know how to monitor and measure the effectiveness of the controls.

Maintaining an internal control environment is as crucial to keep general controls compliant.

Automation and data protection workflow is a big asset.

Understanding that all controls are interlinked and how the malfunctioning of one control may impact on another one.